Technology and Your GDPR journey

Since you’ve reached this page, GDPR (General Data Protection Regulation) must mean something to you or you need to find out if it does! In this blog, we will quickly review GDPR and its importance and then focus on the role technology can play to support effective GDPR compliance.

GDPR Overview

What is GDPR?
GDPR is by far the most significant change in consumer data protection in the last three decades. GDPR brings renewed importance to the handling of an EU citizen’s personal data. Consumer data, in this case, can be any data about an EU citizen like their email, address, browsing history, bank account details, and so on. GDPR requires more transparency and transfers control of data back into the hands of the consumer. The deadline for compliance is 25th May 2018 and it is approaching fast.
Some terminology:

Data Controller is an entity that defines the purpose and the processing around personal data.

Data Processor is any entity (e.g. person, agency, body) that processes personal data on behalf of the data controller.

What is the impact?
A lot is at stake if an organization does not comply with GDPR – financial as well as reputational. The impacts are far-reaching, whether you are part of a giant corporation like Google or Facebook or a mom-and-pop shop collecting online orders. Essentially, complying with GDPR requires changes to the way we do business. As the UK’s Information Commissioners office (ICO) notes:

“In a large or complex business this could have significant budgetary, IT, personnel, governance and communications implications.”

Given the amount of work and the fast approaching timeline for GDPR compliance, this might seem an overwhelming task but thankfully technology can come to the rescue. GDPR compliance initiatives across organizations will have some common themes, e.g. developing a shared understanding and awareness among different stakeholder and some organization specific elements. Wouldn’t it be great if there were some technological platform which could save organizations this re-work while offering the flexibility to cater to organization specific needs?

Technology and your GDPR journey

ICO Recommended Step

Support for Step in TopBraid EDG

Awareness:
Capturing information in a central collaborative environment ensures harmonized exchanges between the different teams involved in the GDPR compliance effort.

TopBraid EDG’s pre-built ReCo (Regulatory Compliance) model represents the GDPR regulation in a structured format. Given the scope of GDPR and the tight timelines, leading a well-organized effort is critical. Going from unstructured to structured format brings significant advantages including better search, automated policy enforcement and seamless collaboration amongst the stakeholders. For example, this lets you capture the relationship from specific articles and obligations in GDPR to your organization policies that ensure compliance using the knowledge graph.

Information you hold:
A good place to start your GDPR compliance journey is to figure out where you are in terms of identifying the Personally Identifiable Information (PII) elements, their category (personal, biometric, genetic, Sensitive etc.), their criticality and metadata related to Data storage, flow and usage.

One especially interesting aspect of this identification step is that many of the relationships between the processes that involve data elements (storage, transmission, erasure, restriction, consent, verification etc.) and the regulations they are subject to, are context dependent –that is, dependent on how they are being processed based on geographic jurisdiction, health, workplace, gender, foreign policy, security and law enforcement, etc. The obligations an entity is subject to are dependent on how the data flows in the processes, in which applications it participates, in which report it is included, etc. Moreover, they depend on WHERE the processes are taking place and WHO is accessing it. For example, in case the data subject exercises his right to restrict data processing, the data controller may only continue to process the data if it obtains the data subject’s consent or if processing is necessary for a legal claim. TopBraid EDG can help you paint the complete picture about the data elements and the context around them.

Communicating Privacy Information:
Organization will have to clearly spell out how they intend use an individual’s data.

Deriving such policies of data use will be a lot easier if you understand your complete data landscape. These policies will then have to be enforced for the use of data within your organization as well as by any downstream data processors. Policies in TopBraid EDG can be framed as a collection of rules. These rules can be automatically enforced – providing Data Protection Officers with quick answers when they are faced with questions like – “I need to share this data with this Data Controller, can I do that and still be GDPR compliant?”

Individuals’ rights:
The users can report inaccuracies, request a copy or request deletion of their personal data.

These user-initiated actions put new responsibilities on organizations that capture an individual’s data. TopBraid EDG makes it easier to track and automatically update all parties involved when such actions are initiated. For example, each downstream Data Processor can be automatically updated when inaccuracies are reported in the data.

Data Breaches:
Data breaches will have to be reported in a timely manner to the concerned authorities and to the individuals affected.

In the event of a data breach, access to timely and accurate information is essential. Organizations are required to notify authorities within 72 hours of the breach. This is a very short amount of time to assess the scope and impact of the breach and compile an accurate response – especially, if multiple stakeholders need to get involved in assembling it. In fact, the 72-hour window is emerging as the new standard for breach notification requirements not only for GDPR, but for several other regulations. Businesses should prepare for this, even if only internally for now, in case it becomes adopted by all (or most) regulations.
With TopBraid EDG, organizations can represent their entire data landscape in a connected knowledge graph. This means the knowledge graph contains information to address critical questions such as:

What data elements are PII’s?

How critical are the data elements?

What geographical areas they belong to?

What infrastructure are they stored on?

Who are the stakeholders for the data affected by the breach?

EDG provides multiple methods of querying and navigating this information for timely delivery

Data Protection by Design and Data Protection Impact Assessments:
The Data Controllers must make sure that the data is used only in compliance with what the user has given permission for.

Complying with this aspect of GDPR requires having greater insight into the contracts of data use by any downstream systems. Policy rules defined in TopBraid EDG will let you make sure that a data element marked as PII follows certain rules, depending on the processes it participates in and the data obligation that is derived from PII Data Element + type of Process + Location.

The changing regulations, business demands and technology can be a big pain for organizations trying to achieve compliance. What’s a weakness for some is a strength for others. These challenges play well to the strength of TopBraid EDG since adding new types of information it can govern is as simple as adding a new “edge” (pun intended) in the knowledge graph. You can start with TopBraid EDG as your GDPR documentation tool and as you progress your support for addressing GDPR requirements, the enterprise capabilities of the underlying platform will let you use it as your one stop GDPR compliance tool.

Below is a diagram in TopBraid EDG showing a relationship between a data element and a GDPR obligation that applies to it in a context of specific processing. TopBraid EDG comes pre-populated with GDPR obligations captured in the structured format. It assists users in identifying how regulations apply to data and processes, capturing this information and making it immediately available for search, query and reporting.